skip to Main Content

Ukraine, mystery on a weaponized document on elections. APT28 or not?

Yoroi-Cybaze: Mystery on a malicious document, referencing the Ukraine election. It’s the first step of a more complex cyber attack and contain a payload used by Emotet banking malware. Some researchers believe is the work of Russian Russian state-sponsored hackers APT28 (aka Fancy Bear, Pawn Storm, Sofacy Group, Sednit, and STRONTIUM)

Mystery on a suspicious document, referencing the Ukraine election. According to Yoroi-Cybaze cyber security experts, this file was uncommon. It seemed carefully prepared and was speaking about who is leading in the elections polls, arguing about the life of the favorite candidate, Volodymyr Zelenskiy, who is defined Servant of the People, along with a strong headline referencing conflicts between Ukraine and Russia. A copy of the Daily Express’ article published back in February. But it’s malicious and the first step of a more complex cyber attack. It has a protected macro, that hides a payload used by the Emotet banking malware. The problem is the attribution. Some researchers believe it’s the work of the Russian state-sponsored hackers APT28 (aka Fancy Bear, Pawn Storm, Sofacy Group, Sednit, and STRONTIUM). Yoroi, instead, it’s not sure.

The Italian cyber security experts, indeed, found some confusing elements in the weaponized document and today aren’t sure that APT28 is responsible for this. So, they decided to deepen the investigation

The cyber security experts found some confusing elements on the malicious document. According to Yoroi’s blog, first of all, it’s not obfuscated in any way. The user can read the entire article about Ukraine elections, so why should he enable the macros? Moreover, also the macro code is totally readable without the usage of encryption or obfuscation to evade detection. The only macro protection mechanism consists in locking dev project from viewing through password, but it is easily bypassable using the classic malware analysis tools. All these elements are not too characteristics of the canonical APT28 droppers, in which the heavy obfuscation has been traditionally adopted. Furthermore there are differences in the macros structure, even if the name of some functions are equals, than a similar and older sample, attributed to APT28. So, the Italian researchers decided to investigate more, in order to better explore the issue.

Back To Top